Microsoft Releases Out-of-Band Patch for Internet Explorer

Microsoft on Monday released an out-of-band fix for a zero-day use-after free memory vulnerability in its Internet Explorer Web browser.

Security bulletin MS13-008 addresses an issuein Internet Explorer 6, 7 and 8 that could lead to a remote code execution attack if a user visits a specially created malicious Web site with the Microsoft browser.

The zero-day was discovered and first reported by security firm FireEye on Dec. 28. Called the "CFR Watering Hole Attack," the security company said that exploits that took advantage of a publically disclosed Internet Explorer vulnerability had already been spotted in the wild. Attack targets included the Council of Foreign Relations Web site and other human rights-related sites.

The company also reported that it had located a Web site that was used in the hosting a virus that took advantage of the vulnerability.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," the company said in a blog post. "We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time."

In response, Microsoft released a temporary solution in the form of a Fix It workaround that made a change at runtime mshtml.dll. However, days after the workaround release, security firm Exodus Intelligence said that the zero-day could still be exploited even after the Fix It had been applied.

"After posting our analysis of the current 0day in Internet Explorer which was used in a 'watering hole' style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability," said the company in a blog post. "After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week."

Microsoft said that Monday's bulletin has resolved the issue and advises those that don't have automatic updating enabled to apply the security fix as soon as possible. Those that are running Internet Explorer 9 and 10 are not affected by the vulnerability or the fix.